Forms 6i Security

[yxez]

Hi Friends,

How do I make our 3rd party appl forms login more secure?

Currently, the appl program uses a primitive database authentication method
by providing the username and password of the database in clear text inside
a .ini file. Changing the database user and password will be useless due to
password being exposed literally. Users of the application are registered in a table in the database with the password of the user exposed in clear text. An administrator or anybody with database access will be able see a user's password in clear text thus user authentication is compromised.

Can I change the username to point to the database username and not a table?
Can I incrypt the password table entry itself?
Can I incrypt the .ini file so as not to show literal passwords?
Can I use the form to get the userid/passwd from LDAP active directory server?

Please help ....thanks a lot

[ROPMax]

We're on a slightly older version of FORMS as you but this should still work.

We have a 3rd party FORMS app which, like yours, used to throw up its own login prompt based on a table where ID's and passwords were stored in clear text. We had our 3rd party developer change the application to eliminate the login prompt completely. We then setup in Oracle a bunch of 'external authentication' ID's - one for each of our users. Our icon for launching the application now looks like this:

G:\95apps\Ciris\Orawin\Bin\F50run32.exe F01MAIN /

The forward slash at the end designates external authentication. So, if I'm logged into Windows as RPERRY and there exists an Oracle ID of "OPS$RPERRY" then I'm automatically logged into the 3rd party FORMS app without having to deal with a login prompt.

You would need in your init.ora file these lines:
remote_os_authent = true
os_authent_prefix = OPS$
(you can actually use any prefix you want).

Oracle ID's are created to match windows ID's with the indicated prefix and the 'external authentication' box checked. No password required.